In order to enable an iCal export link, your account needs to have an API key created. This key enables other applications to access data from within Indico even when you are neither using nor logged into the Indico system yourself with the link provided. Once created, you can manage your key at any time by going to 'My Profile' and looking under the tab entitled 'HTTP API'. Further information about HTTP API keys can be found in the Indico documentation.

I have read and understood the above.

Additionally to having an API key associated with your account, exporting private event information requires the usage of a persistent signature. This enables API URLs which do not expire after a few minutes so while the setting is active, anyone in possession of the link provided can access the information. Due to this, it is extremely important that you keep these links private and for your use only. If you think someone else may have acquired access to a link using this key in the future, you must immediately create a new key pair on the 'My Profile' page under the 'HTTP API' and update the iCalendar links afterwards.

Hyatt Regency Century Plaza

OARC's Fall 2014 Workshop and AGM will take place in Los Angeles, California, in conjunction with the ICANN51 meeting, and is sponsored by:

Diamond and Social Sponsor

Meeting Host

Silver Sponsor

Bronze Sponsor

The OARC AGM and member-only session will be held on Saturday 11th October, the main workshop on Sunday 12th, and a joint session with ICANN's Tech Day on Monday 13th.

OARC Workshop meetings are open to OARC members and to all other parties interested in DNS operations and research, with ICANN attendees particularly welcome this time around. Meeting registration is free, with priority given to OARC Members, Speakers and Sponsors in the event of limited space, or please consider donating some funds toward the Workshop running costs at this Donation Link.

Westside

Hyatt Regency Century Plaza

Westside

Hyatt Regency Century Plaza

2025 Avenue of the Stars
Los Angeles
California 90067
USA

This demonstration-based talk will cover various results of Nominet's analytics efforts over the last four years.
The talk will discuss various incidents, misconfigurations, bugs, attacks and malware behaviour we have uncovered by visualizing and interacting with DNS data. I’ll go through a few stories:
1) The limitations we had using existing tools, and the requirements we had when building our analytics tool.
2) How we found CVE-2011-2464 (BIND bug) by understanding how a secondary nameserver should behave, and subsequently looking for abnormalities.
3) How we spot suspicious behaviour and subsequently track a botnet.
4) How we spot abnormal behaviour and subsequently track crypto locker.
5) How two bugs in different implementations amplify eachother. A story about Google and BIND.
6) The effect of RRL during an attack.
7) How OpenDNS improved on their shutter time.
8) The importance of interaction _and_ visualisation (and as a natural consequence, timeliness).

Trader Vics

Beverley Hilton

Westside

Hyatt Regency Century Plaza

2025 Avenue of the Stars
Los Angeles
California 90067
USA

Convener:
Mr.Sebastian Castro
(.nz Registry Services)

Audio Archive

09:00

Analysis of TCP traffic in DITL data30m

The historical archive of DITL data is analyzed for trends in TCP traffic, answering some of the following questions: are TCP sources representative of UDP sources? Does TCP always follow a UDP TC=1 response? Do TCP and UDP sources have similar query type distributions? Are response sizes increasing over time, leading to more TCP? What do TCP connections indicate regarding latency?

Speaker:
Duane Wessels
(Verisign)

Slides

09:30

DNS Name Collision Risk Mitigation30m

Starting August 2014, new gTLDs have been required to insert certain records in their DNS zone to manage name collision risks. This presentation provides a description of the mitigation measures and operational experiences regarding the management of risks related to name collisions in the DNS associated with the introduction of new TLDs.

Speaker:
Francisco Arias
(ICANN)

Slides

10:00

A country level Analysis of the OARC DITL root traces 2009-201420m

I would like to present an analysis of a country level breakdown of the DNS traffic captured by the OARC members on the DITL traces between 2009 and 2014.

Speaker:
Bradley Huffaker
(CAIDA/UCSD)

Slides

10:20

2014 Root DITL Data analysis and TLD popularity analysis20m

The presentation reports statistics of 2014 DITL root dataset and differences from previous data.
And tries to show popularities of each TLD.
The data may show the share of usage of TLDs in each country.

Speaker:
Mr.Kazunori Fujiwara
(Japan Registry Services Co., Ltd)

Slides

10:40

Coffee Break
20m

11:00

Measuring the cost of DNSSEC30m

The presentation provides some measurements on the incremental cost of signing a domain name. It looks at the profile of additional time taken to resolve a signed name by a dnssec-validating resolver and from the perspective of the authoritative name server quantifies the additional query and traffic load when serving a signed zone as distinct from an unsigned zone. The presentation also extrapolates this load to the situation when all resolvers perform DNSSEC-validation

Speaker:
Mr.Geoff Huston
(APNIC)

Slides

11:30

OARC's Technical Report30m

Report from William Sotomayor about the work being done by OARC Technical team since last workshop.

Speaker:
Mr.William Sotomayor
(DNS-OARC)

Slides

12:00

Improved NSEC3 performance in DNSSEC30m

A challenge in DNSSEC is that the ‘NSEC3’ records used to assert the non-existence of a given domain name can create a significant computational load on the DNS servers. This document describes an application of a cryptographic technique known as a ‘time-lock puzzle’ to the calculation of NSEC3 records. This provides a means of reducing this load whilst simultaneously increasing the security against DNS record enumeration offered by NSEC3.

In this presentation, we describe security metrics for Top-Level Domains (TLDs) and we measure their operational values using DNS query data and other data sources such as botnet and phishing feeds. They can serve as publicly available signals to different classes intermediaries such as registries, registrars, or hosting providers and can offer the option to benchmark themselves against their market. There currently exists very little empirical information about the security performance of TLDs and of the overall DNS ecosystem.
We distinguish three types of security metrics, each at a different layer of ab- straction. The top-layer involves the security metrics of an entire TLD such as .nl, .com, or .amsterdam. The second layer of abstraction consists of security metrics for market players under TLDs. These are Internet infrastructure providers, registries, registrars, and hosting providers. Examples of security metrics at this layer include concentration of malicious domains across players and their up-times. The third layer is a break-down of the second layer and involves security metrics for network resources managed by each of the players, such as DNS resolvers, or authoritative name servers. In this presentation, we pay a special attention to the second layer and we develop reputation metrics for registries, registrars, and hosting providers with the respect to the TLD layer.
In our future work, we plan to correlate the abuse rate reflected in the here-proposed reputation metrics with registry policy, such as pricing, the correctness of the whois data, security monitoring of the DNS infrastructure, etc.

Speaker:
Dr.Maciej Korczynski
(Delft University of Technology)

Slides

14:00

A Survey of Current DANE/TLSA Deployment20m

As adoption of DNS Security Extensions (DNSSEC) grows, DNS-based Authentication of Named Entities (DANE) provides an alternative to traditional CA-based certificate authentication. The DANE TLSA protocol specification was published in 2012. It's generally unknown to the DNS community how widely DANE TLSA has been deployed and how TLSA records are used. In this talk, we present a survey of current deployment of DANE TLSA. We developed PryDane, a tool for actively probing names possibly having TLSA records validating those records with the server certificates. Based on the data we collected, we conclude that DANE TLSA is not widely deployed at this time. Our probing data shows the most common (>80%) usage of TLSA record is: domain-issued cert matching full cert with SHA-256. Our validation results show there are consistently about 7%-10% of DANE-enabled names having invalid TLSA records. We explored the reasons for these mismatches, such as wrong certs and incorrect parameters in TLSA records.

Speaker:
Liang Zhu
(USC/Information Sciences Institute)

Slides

14:20

Preserving case-sensitivity in zone names20m

In early 2014 a BIND user encountered a problem with some SIP phones, that turned out to be due to the fact that, while compressing zone updates, we were not preserving case-sensitivity. We determined that CamelCasing is allowed, and thus case should be preserved by IETF specification. We then consulted with a number of operating system publishers and agreed on a solution. This brief presentation will explain how BIND handles this situation and introduce others to the issue.

Speaker:
victoria risk
(isc)

Slides

14:40

NSEC5: Provably Preventing DNSSEC Zone Enumeration30m

DNSSEC is designed to prevent network attackers from tampering with domain name system (DNS) messages. The cryptographic machinery used in DNSSEC, however, also creates a new vulnerability--zone enumeration, where an adversary launches a small number of online DNSSEC queries and then uses offline dictionary attacks to learn which domain names are present or absent in a DNS zone.
We propose a new cryptographic construction that solves the problem of DNSSEC zone enumeration while remaining faithful to the operational realities of DNSSEC. NSEC5 can be thought of as a variant of NSEC3 in which the unkeyed hash function is replaced with a deterministic RSA-based keyed hashing scheme.
We also show that a public-key operation is necessary to prevent zone enumeration. Specifically, we prove that security against network attackers and privacy against zone enumeration cannot be satisfied simultaneously unless the DNSSEC server performs online public-key cryptographic operations.

Speaker:
Prof.Sharon Goldberg
(Boston University)

Slides

15:10

Coffee Break
20m

15:30

The GIft that Keeps on Giving: Open DNS Proxies30m

DNS DDoS attacks continue, fueled by open DNS proxies. Now they're stressing resolvers and authorities worldwide using pseudo random subdomains. In June of 2014 there was a 400% increase in this traffic and popular domains continue to be targeted. Analysis of recent DNS data reveals other interesting details. For instance, Response Rate Limiting in authorities appears to aggravate attacks.
This presentation will cover the latest attack data as well as tests of the major resolvers showing the impact of capabilities to mitigate them, ranging from changes in recursive behaviors to filtering traffic at ingress.

Speaker:
Mr.Ralf Weber
(Nominum)

Slides

16:00

DNS - the glue in the IoT30m

In Internet of Things (IoT), the "Things" could be anything from refrigerators to human to books. These "things" should be identified at least by one unique way of identification, for the capability of addressing and communicating with each other. This is made possible by attaching/embedding different data carrier devices such as barcodes,RFID, Sensors etc with the 'things'.
Sensors, for example could be identified by MAC or IPv6 address. Similarly barcodes, RFID tags are encoded with an identifier based on different identification schemes such as Universal Product Code, (UPC), Electronic Product Code (EPC), ucode etc. The basic feature of these identifiers are : they are allocated hierarchically, control is decentralised and the nature of allocation makes sure that there is no duplicity.
The identifier properties described in the previous paragraph are similar to the domain name allocation and management, and thus, identifiers in IoT could leverage the DNS infrastructure and software for allocation and resolution. Leveraging DNS for other uses started with ENUM for telephone numbers, and for IoT, there exists already overlay mechanisms services such as Object Naming Service (ONS) [EPCglobal standard] and Object Directory Service (ODS) [ITU-T standard] which uses the DNS to resolve the IoT identifiers (their respective identification schemes) to its related digital information.
As DNS acts as a "glue" in the current Internet, where its basic feature is to resolve "human-friendly" host names to their corresponding "machine-friendly" IP addresses, in IoT also it is proved, that DNS could be a glue for certain identification schemes.
This talk will concentrate on
[1] How DNS could be leveraged for resolving a 'thing' associated with an RFID based on our experiences in working on the WINGS [WINGS] project and contributing to the ONS 2.0 standard [EPCglobal standard]
[2] The issues involved in using DNS for resolution in the Wireless sensor network (i.e using Sensor devices) based on a recently started collaborative project [WSNProject].
[3] If time permits, IoT standardisation activities at the IETF relating to DNS
[WINGS] http://www.wings-project.fr/
[EPCglobal standard] http://www.gs1.org/gsmp/kc/epcglobal/ons/ons_2_0_1-standard-20130131.pdf
[ITU-T standard] Object Directory Service for Mobile AIDC services (ISO/IEC 29177)
[WSNProject] http://www.labfab.fr/portfolio/lora-fabian/

Speaker:
Mr.Sandoche Balakrichenan
(Afnic)

Slides

16:30

Orient data vertically for faster analysis30m

Column store databases are a newer entry to the big data realm. They handle structured data like DNS queries exceptionally well and work best with minimal data normalization. Queries execute significantly faster than RDBMS technology (~ 100 times faster).
This talk will outline the technology at a high level and walk through examples of data loading, compression, and reporting using a freely available Column Store DB as well as Nominum’s experiences and findings analyzing large amounts of DNS data.
No normalization, fast data loading, no indexing, fast queries and SQL... what's not to like?

Speaker:
Mr.Adrian Beaudin
(Nominum)

Slides

17:00

Test cases for domain checks -- a step towards a best practice20m

Zonemaster is an upcoming tool for controlling DNS zones. It is designed to replace the .SE DNSCheck and the .FR ZoneCheck with better performance, modularity and scalability. One of the design goals is to have explicit test cases for the tool. I.e. exactly what are the requirements of the tested zone that tools should test? What outcomes should return pass and what outcomes should return fail? Those explicit specifications, i.e. the test cases, will at the same time be the ground the validation of the tool.
The goal of the test cases is more than being the requirements for Zonemaster, our ambition is to develop a best practice for zone delegations by having transparent and publically available specifications that are independent of the test tool. The Zonemaster test tool could be seen as one implementation of those specifications.
The test cases should not only capture a completely valid delegation, but they should also be ground for meaningful error messages when things are more or less bad.
I will in my presentation present the major test cases for the tool and some test cases where the outcome need considerations and where discussions and suggestions could help the development.
The material for the project is publicly available at Github, https://github.com/dotse/zonemaster

Westside

Hyatt Regency Century Plaza

Westside

Hyatt Regency Century Plaza

2025 Avenue of the Stars
Los Angeles
California 90067
USA

DNSViz has been developed as a Web-based tool for analysis, visualization, education, and troubleshooting DNS and DNSSEC. The tool has recently been reworked for extensibility and portability, including a downloadable library and tool suite available via an open source license--and a revamped Web site. We discuss the new features available with DNSViz, future plans, and how to get involved.

Speaker:
Dr.Casey Deccio
(Verisign Labs)

Slides

11:50

Low-Cost Threshold Cryptography HSM for OpenDNSSEC20mWestside

Westside

Hyatt Regency Century Plaza

2025 Avenue of the Stars
Los Angeles
California 90067
USA

The DNS Security Extensions (DNSSEC) add a new layer of security based on public-key infrastructure: each DNS record is digitally signed to verify the authenticity of the answer. However, the introduction of DNSSEC has an impact in the operational workflow of DNS systems: (i) signatures have an expiration date, hence the records must be periodically signed and (ii) key management tasks can be overwhelming. These are problems specially for DNS zones with several records (for instance a Top Level Domain).
The adoption of Hardware Security Module (HSM) is an option to provide highly secured keys and signature management. Nevertheless HSM is expensive and hardware can fail. We present a novel system based on threshold cryptography to support the operational signing workflow of DNSSEC. This approach significantly improves security and availability of the overall system since the secret key is never stored in a single place; it is spread among the nodes of the
system.

Speaker:
Mr.Francisco Cifuentes
(NIC Chile Research Labs)

Slides

12:10

Measuring the Leakage of Onion at the DNS Root20mWestside

Westside

Hyatt Regency Century Plaza

2025 Avenue of the Stars
Los Angeles
California 90067
USA

The Tor project provides individuals with a mechanism of communicating anonymously on the Internet. Furthermore, Tor is capable of providing anonymity to servers, which are configured to receive inbound connections only through Tor (more commonly called hidden services). In order to route requests to these hidden services, a namespace is used to identify the resolution requests to such services. A namespace under a non-delegated (pseudo) top-level-domain (TLD) of .onion was elected. Although the Tor system was designed to prevent .onion requests from leaking into the global DNS resolution process, numerous requests are still observed in the global DNS.
In this talk I propose to present the state of .onion requests received at the global public DNS A and J root nodes, and a complementary measurement from the DITL (day in the life of the Internet) data repository. I will also present potential explanations of the leakage, and highlights of trends associated with global censorship events.

Speaker:
Dr.Aziz Mohaisen
(Verisign Labs)

Slides

12:30

Host Presentation20mWestside

Westside

Hyatt Regency Century Plaza

2025 Avenue of the Stars
Los Angeles
California 90067
USA

Speaker:
Mr.Marx Peter
(Los Angeles City Council)

12:50

IDNA 2008 & Unicode20mWestside

Westside

Hyatt Regency Century Plaza

2025 Avenue of the Stars
Los Angeles
California 90067
USA

Speaker:
Patrick Faltstrom

13:10

Lunch
50m
Hyatt Regency Century Plaza

Hyatt Regency Century Plaza

2025 Avenue of the Stars
Los Angeles
California 90067
USA

On your own.

14:00

MS DNS Server Data Mine20mWestside

Westside

Hyatt Regency Century Plaza

2025 Avenue of the Stars
Los Angeles
California 90067
USA

Speaker:
Mr.Kumar Ashutosh
(Microsoft)

Slides

14:20

Facebook CSIO Update20mWestside

Westside

Hyatt Regency Century Plaza

2025 Avenue of the Stars
Los Angeles
California 90067
USA

14:40

Yahoo CSIO Update20mWestside

Westside

Hyatt Regency Century Plaza

2025 Avenue of the Stars
Los Angeles
California 90067
USA

Speaker:
Alex Stamos
(Yahoo)

15:00

DNS Rex: Do you need an aggressive benchmarking tool?20mWestside

Westside

Hyatt Regency Century Plaza

2025 Avenue of the Stars
Los Angeles
California 90067
USA

DNS Rex: Do you need an aggressive benchmarking tool?
I would like to present DNS Rex, an open source performance benchmark for DNS servers, with a focus on busy DNS caching resolvers. DNS Rex was created to address several known (and rumored) problems with existing DNS testing tools. Our goals included:
* reliable generation of high query rates,
* reproducibility of test results,
* ability to sustain any configurable cache hit ratio,
* support for long tests without reliance on trace replay,
* independence from a 3rd-party authoritative server,
* DNSSEC support.
DNS Rex has been successfully used for private tests, and is publicly available[1], but we have not promoted its wider use. Besides describing what DNS Rex can do today, I would like to gauge audience interest in continued development of the tool. Is there a genuine need for a better DNS benchmark? What missing features are the most important?
[1] http://rex.measurement-factory.com/